I am using user the PrincipalContext class to connect to an Active Directory server and then use the ValidateCredentials method like this:

new PrincipalContext(ContextType.Domain, <some url>, <some container>);
principalContext.ValidateCredentials(userName, password, ContextOptions.Negotiate);

The some container parameter is of type Container and according to the documentation "All queries are performed under this root". Also according to this answer specifying the Container "... limits all queries using that DomainContext to the specified container."

The problem though is that against my companie's AD server if I specify a container that does not exist or just put in gibberish the AD server still finds a user if I specify a user that exists with the correct password. Does anybody know why the user is still found? Is there some documentation you can point me to that explains this?

CodePudding user response：

The simple answer is that ValidateCredentials doesn't use the specified container, simply because it doesn't need to. It doesn't actually search for the user. It just attempts to authenticate to the server with the credentials specified.

You can see the source code for ValidateCredentials here, which ends up calling CredentialValidator.Validate (an internal class).

In the constructor of PrincipalContext, it creates the CredentialValidator object, but you'll notice that it does not pass the container to it, only the name (the domain name).

_credValidate = new CredentialValidator(contextType, name, _serverProperties);

The _serverProperties variable is also built from only the server name, not the container, which you can see from the ReadServerConfig method.